This year, Michael Eaton and his colleagues hosted the 4th annual Kalamazoo X conference. I have attended all 4 years and I have to say this was the best one. For those who haven’t yet heard of Kalamazoo X, it is a conference targeted at software developers, but the topics focus on the softer skills (i.e., the non-technical skills) required in your career. Each presentation is only 30 minutes long, which keeps things moving very rapidly. A single track provides a shared experience for all attendees. Every presentation was excellent and the room was packed. Speakers would often reference a presentation from earlier in the day.

Below are my notes from the sessions I attended.

Joe O'Brien People Patterns Packed a lot of great ideas Never seen a project fail for technical reasons. Corollary: Never seen a project SUCCEED for technical reasons. Deliver bad news quickly

Laura Bergells The People You Like the Least are the People You Need the Most Teams require different personality types Idea people (Putting the "Fun" in "DYSFUNCTIONAL") and rational people (Putting the "No" in "INNOVATION")

Suzan Bond Intuition: Your Very Own Super Power Learn to understand intuition and trust yourself. Takes guts OK to find ways to back up intuition.

Leon Gersing Going Gonzo – an exploration of cultures in software development Allow yourself to separate from the dominant culture and its associated dogma. Drew inspiration from Hunter Thompson, Frank Zappa, and Georges Seurat. "Most people doing Agile today are actually doing Waterfall with Agile terms. Agile is dead." More important to be right than to be wise. Understand the problems you are solving.

Justin Searls The Mythical Team-Month If you are going to fail, fail quickly. We are conditioned to avoid failure Finding great developers: Most traits are non-technical Look for one who can succeed without you.

SQL Injection is one of the most frequently-exploited vulnerabilities in the software world. It refers to user-entered data making its way into commands sent to back-end systems. It is common because so many developers are unaware of the risk and how to mitigate it.

Most of the applications I work with read from and write to a relational database, such as Microsoft SQL Server. I frequently run across ADO.NET code like the following:

This code is not optimal because SQL Server does not have a chance to reuse a cached query plan unless the user happens to send the exact same text into SQL Server.

The string concatenation opens the system to SQL Injection attacks.

A SQL Injection Attack is an attempt by an unscrupulous user to pass malicious commands to a database. In the above example, imagine that the variable x was provided by a user inputting text into a text box on a web age. An evil user might type something like

"Smith';DROP TABLE Customer;//"

If that code runs with sufficient permissions, it would wreak havoc on your database. The following query would be passed to SQL Server.

Clearly, dropping the customer table is not what your code is intended to do.

Many of you will read the above example and decide that you are safe because

Your web code runs under a context with insufficient privileges to drop a table; and

You are validating all user inputs to ensure a user cannot enter anything bad.

There are problems with this reasoning.

A clever hacker can sometimes trick a user into running code under elevated privileges. Often there are multiple steps to an attack.

Even if you have caught every possible injection possibility in your user interface, you cannot guarantee that every call to this API will be made only from your UI for all eternity. You may open up the API to the public or you may subcontract writing a mobile application that calls this API or you may hire a new programmer who doesn't know better.

The point is that you need to check security at every level of your application. And part of checking security is to not trust your inputs.

A far better approach than concatenating strings to form a SQL statement is to create parameter instances; set the value of each parameter; and add these parameters to a Parameters collection.

As always, there will be a lot of developer conferences and other events this summer in the my region. Here is a partial list of conferences that have been announced in or near the Heartland region in the coming months. Please let me know if I have missed any.

Saturday, I spoke at the Orlando Code Camp at Seminole State College, just east of Orlando, FL. This was the seventh year of the Code Camp but my first time attending.

The first session I attended was Memory Management Fundamentals – Garbage Collection Deep Dive by Scott Dorman. Scott explained the way memory management works under the hood. Key points: The garbage collector takes care of cleaning up objects when they are no longer needed. It's generally not advisable to implement a finalizer. If your machine has plenty of memory, garbage collection might not occur until the user exits the app. Larger objects are cued up for cleanup. Here is a list of resources http://geekswithblogs.net/sdorman/archive/2008/09/14/.net-memory-management-ndash-resources.aspx

The next session I attended was Creating a HTML5 WinRT application by Brian Kassay You can build Windows 8 applications in either HTML5, JavaScript, and CSS3 or in XAML. This session focused on HTML5, JavaScript, and CSS3. In order to work with this, one needs to install Windows 8 and Visual Studio 11 (both are in beta).

I planned to see Richie Rump's Entity Framework - Code First and Magic Unicorns session, but others had the same idea and the room was packed. Rather than stand for an hour, I opted to hear Greg Leonardo's Line of Business development with MVC3. This was a basic overview of how to use MVC. It consisted of more slides than demos. He did explain how MVC's Anti-forgery library works (issues a token to the user with a response and checks for that token in subsequent requests). He also discussed the MVC Anti-XSS library, which is designed to protect your site against cross-site scripting errors. By default, MVC disallows HTML input by. If you decide to allow HTML input, it is important to scrub input with the Anti-XSS library.

The final session I attended was Elijah Manor on Exterminating Those Common Pesky jQuery Bugs Elijah went through a series of common JavaScript mistakes made by developers and showed ways to correct them.

I delivered a session on Visual Studio 2010 Database Tools. It was very well received and the audience asked lots of questions.

The conference was organized by local user group leaders, including Esteban Garcia, a fellow Telerik insider (Telerik sponsored my trip, BTW). The organizers did a very good job on this conference and everything ran smoothly. The one drawback of this event was the lack of an obvious common area, where attendees could talk and meet one another. When it was over, we regrouped at a local pub, which gave me the opportunity to meet many of the local developer community. This was particularly important to me at this conference because I only knew about 5 people among the speakers and attendees. One of the reasons I came down to Orlando was for a chance to meet people in the local Florida communities. It turns out that Orlando, Sarasota, and South Florida have very vibrant communities based on the enthusiasm of those I spoke with.

Of course I recorded a couple episodes of Technology and Friends. Elijah Manor and Max Trinidad agreed to go on camera to discuss JavaScript and Powershell respectively.

The Orlando Code Camp will take place again next year and I'm seriously considering making this an annual trip. I also heard of a few smaller events in the area which might bring me back here.